It has been announced that the CrowdStrike investigation into PowerSchool's large-scale data breach that took place in December 2024 has been published. It was determined during the investigation that unauthorized access to the company's systems occurred four months prior, beginning in August and continuing in September, with the initial breach taking place in August and September. With more than 60 million students and 18,000 customers worldwide, PowerSchool is the world's leading cloud-based software provider for K-12 education.
Among the many services PowerSchool offers are enrollment management, communication tools, attendance tracking, staff administration, learning solutions, analytics, and financial management, among others. PowerSchool disclosed in December of an unauthorized access to its customer support portal, PowerSource, which had been compromised by threat actors.
It was discovered in this portal that there was a remote maintenance tool that was used by attackers to connect with customer databases. As a result of this vulnerability, sensitive information such as full name, physical address, contact information, Social Security number (SSN), medical records, and academic grades could have been accessed.
According to CrowdStrike's investigation findings, there was an extensive amount of information about the security incident that gave further insight into the timeline and scope, emphasizing the need for enhanced cybersecurity measures to protect sensitive educational data. CrowdStrike conducted an investigation recently and it revealed that a hacker had stolen the company's support credentials several months ago to access the company's network.
CrowdStrike's report indicates that PowerSchool's network has been accessed between August 16, 2024, and September 17, 2024 with the same compromised credentials as those used in December. By using these credentials, unauthorized access was granted to PowerSchool's PowerSource, the customer support portal which was later exploited in December to gain access to PowerSchool's network.
According to CrowdStrike's report, PowerSource is intended to provide support technicians with the necessary privileges to access customer SIS database instances to perform maintenance purposes.
CrowdStrike noted that limited data available in PowerSchool's log data prevented further analysis, but the investigation did not find sufficient evidence to conclusively link the August and September activity to the threat actor responsible for the December breach. According to the report, the December security breach could have been avoided had the compromised credentials been updated on time.
However, it does suggest that if the credentials were updated on time, the December breach could have been avoided.
Several cybersecurity measures, including frequent credential updates and enhanced monitoring, can prevent unauthorized access to sensitive data and safeguard sensitive information. PowerSchool released a report recently containing findings from CrowdStrike's investigation on February 28, 2025. This update highlights the importance of proactive cybersecurity measures.
Using compromised credentials, the cyberattack has been carried out on the PowerSource customer support portal, according to the report. This unauthorized access has been in place since December 19, 2024, when it was notified at 19:43:14 UTC, until December 28, 2024, at 06:31:18 UTC, when it was discovered and mitigated.
A cybersecurity firm called CrowdStrike has found that the attackers successfully removed sensitive data belonging to teachers and students from the compromised systems, but has not found any evidence that suggests that other databases were accessed or stolen by these attackers.
As a result of the investigation, it was found that PowerSchool did not have malware deployed within its infrastructure, nor did the investigation indicate that privileges were escalating, lateral movement occurred, or downstream customer or school systems had been compromised. Based on CrowdStrike's dark web intelligence as of January 2, 2025, it appears that the attackers kept their promise not to publish the stolen data after receiving an extortion payment in return for not publishing it.
The firm has not identified any instances of the information being sold or leaked online, and further analysis has shown that a breach of the PowerSource portal occurred in August and September of 2024, using the same compromised credentials, suggesting that it could have occurred even earlier than August and September of 2024. However, due to limitations in log data retention, there are insufficient evidence to confirm whether the same threat actor is behind both the earlier breaches as well as the December attack, due to limitations in log data retention.
Specifically, the report stated that PowerSource logs for August 16, 2024, at 01:27:29 UTC, indicated that an unauthorized attack was performed by an unidentified actor using compromised support credentials on this date. In addition, CrowdStrike pointed out that the available SIS log data did not extend far enough to be able to determine whether the access resulted in the exfiltration of data from PowerSchool's SIS.
PowerSchool has not publicly disclosed the number of schools, students, and teachers affected by the breach despite its severity, raising questions about transparency. According to the report, the breach affects 6,505 school districts across the United States, Canada, and other countries. The stolen data set contains approximately 62,488,628 student records and 9,506,624 teacher records.
In light of these findings, stringent cybersecurity measures must be put in place, including timely credential management and enhanced monitoring, to protect sensitive educational data and prevent unauthorized access to it. PowerSchool has assured stakeholders that all necessary precautions have been taken to ensure that no further unauthorized access to the compromised data will take place.
The company notified parents and guardians in a communication that the stolen information was not expected to be released to the public and that they could permanently delete it without duplicating or spreading it further.
According to an in-depth analysis of PowerSchool system logs that began on December 22, 2024, unusual activity was identified by both on-premises and cloud-hosted PowerSchool customers.
According to our investigations, two key data tables - Students_export.csv and Teachers_export.csv - were transferred to an IP address which was traced back to Ukraine and then were deleted.
There are two IP addresses on the domain, 91.218.50.11, which belong to Virtual Systems, a legitimate hosting provider. This indicates that the attacker is likely to have either rented a service directly or exploited an existing account.
As soon as PowerSchool discovered the breach on December 28, 2024, it promptly contacted CyberSteward, a cybersecurity incident response company, to negotiate with the attacker and resolve the problem.
As the cybersecurity journalist Brian Krebs reported in an internal FAQ, PowerSchool requested assurances concerning the fate of the stolen data based on the internal FAQ. The threat actor subsequently confirmed with PowerSchool that all the data that had been exfiltrated had been erased and that no additional copies were kept of any of the data.
Additionally, the attacker is alleged to have provided a video that shows how the process of file deletion is conducted.
According to the findings, the cyber threat landscape has evolved dramatically over the past decade and there is an increasing trend for organizations to implement robust security measures to limit unauthorized access and exploitation of sensitive information.
As a result of CrowdStrike's investigation, it was clear that cyber threats to schools and education institutions have become increasingly sophisticated and that action must be taken to prepare for them.
It is important to note that the PowerSchool breach, which went undetected for months, illustrates the dangers posed by compromised credentials, as well as the potential risks posed by unauthorized access to students' and faculty's sensitive data.
PowerSchool has assured that necessary precautions have been taken to prevent further misuse of the stolen data, yet this incident is considered to be a critical reminder of the vulnerabilities that exist in the digital infrastructure that handles vast amounts of information related to individual students and teachers.
Given the tardy detection of the breach, as well as the extent of data exfiltration, it is imperative that continuous monitoring is maintained, credential updates are made promptly, and robust access control measures are implemented.
To ensure that education institutions and technology providers remain secure moving forward, they must adopt advanced threat detection mechanisms, enforcing multi-factor authentication, and following rigorous incident response protocols.
As a result of maintaining public trust and making sure that affected stakeholders are informed about data breaches, transparency remains crucial when revealing them.
Despite the ever-changing tactics of cybercriminals, organizations remain vigilant and must enhance their security frameworks to mitigate the risk of a future breach and prevent it from happening again in the future. As a result of this event, all institutions that handle sensitive data should take note. It should serve as a strong reminder that cybersecurity is more than just a precaution, but one of the essential responsibilities of modern educational institutions.